When people download a film from Netflix to a flatscreen, or turn on web radio, they could be alerting unwanted watchers to exactly what they are doing and where they are.

Spies will no longer have to plant bugs in your home – the rise of ‘connected’ gadgets controlled by apps will mean that people ‘bug’ their own homes, says CIA director David Petraeus.

The CIA claims it will be able to ‘read’ these devices via the internet – and perhaps even via radio waves from outside the home.
Everything from remote controls to clock radios can now be controlled via apps – and chip company ARM recently unveiled low-powered, cheaper chips which will be used in everything from fridges and ovens to doorbells.

The resultant chorus of ‘connected’ gadgets will be able to be read like a book – and even remote-controlled, according to CIA CIA Director David Petraeus, according to a recent report by Wired’s ‘Danger Room’ blog.

Petraeus says that web-connected gadgets will ‘transform’ the art of spying – allowing spies to monitor people automatically without planting bugs, breaking and entering or even donning a tuxedo to infiltrate a dinner party.

‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ said Petraeus.

‘Particularly to their effect on clandestine tradecraft. Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters – all connected to the next-generation internet using abundant, low-cost, and high-power computing.’

I have a relatively dumb TV with a non-interactive satellite download-only box. It is NOT connected to the phone line (despite repeated pleas to do so during the set up script). I have a relatively dumb cell phone (and wish it were dumber. Eventually I’ll need to ‘roll my own cell phone’, but it ought not to be too hard, as there are many other folks doing that work). I’m in the process of securing my compute environment, as it has gotten too insecure to be used for anything that matters (for the typical Microsoft products). My car has NO computer, and I’ll not be buying one with any of: Advanced computing (at most a dumb process control chip on the engine), radio connection, microphone built in, black box (i.e. no new cars). That is, just say NO to GM and OnStar.

I’ll also never connect any kind of kitchen or wash room appliance to any internet connection. I have a 12 kv transformer and I know how to use it ;-) I can also isolate my internal power distribution from any “internet over the power plug” system (and will should it become necessary). Nobody but me needs to know that I like a midnight snack… or that I’ve not been home for a week…

Microsoft “is not helping”. The latest thing I ran into was while getting decent at BitTorrent and downloading a bunch of Linux distributions (including discovering that Debian has an ARM release!) BitTorrent has a button to turn on / download IPv6 tunneling code. As that puts a globally unique ID to your computer and distributes it globally, bypassing any security you might have from a NAT Network Address Translation gateway (via punching a hole through it) I was “less than enthused”. It had been a while since I’d looked at IPv6 and what was happening, so I looked just a bit. Seems Microsoft has turned on such tunneling / NAT busting by default. (I turned it off on my laptop on discovering that…)

It wasn’t in quite the place they said in that article. (Microsoft loves to keep moving the controls so you can’t know how to shut off their crap…) But eventually I found where the two controls had been moved and shut them off. Why? Because I want my NAT to be a security barrier. I do not want anyone punching holes in that security without telling me.

Teredo increases the attack surface by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which are otherwise mostly unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. However, such a vulnerability is an intrinsic effect from NAT traversal. Teredo also exposes the IPv6 stack and the tunneling software to attacks should they have any remotely exploitable vulnerability.

The Microsoft IPv6 stack has a “protection level” socket option. This allows applications to specify whether they are willing to handle traffic coming from the Teredo tunnel, from anywhere except Teredo (the default), or only from the local Intranet.

Firewalling, filtering, and blocking

For a Teredo pseudo-tunnel to operate properly, outgoing UDP packets must not be filtered. Moreover, replies to these packets (i.e. “solicited traffic”) must also not be filtered. This corresponds to the typical setup of a NAT and its stateful firewall functionality.

DoS via routing loops
Some new methods to create denial of service attacks via routing loops using Teredo tunnels have been uncovered recently. They are relatively easy to prevent.

Yeah, not exactly the worst hole in security to have (using Internet Explorer with automatic updates turned on and loads of ‘plug-ins’ like Java and Flash and more, pretty much leaves you wide open…) so not high on the list of worries… yet… BUT the last thing you want is a “Day Zero” attack on an IPv6 stack that you didn’t want to be using anyway…

It’s just THAT kind of thing that I do not want to be happening with my refrigerator and microwave oven…nor do I want to ‘discover’ at an ‘unfortunate’ time that a kid hacking around from Beijing has found a neat way to to shift cars into reverse via remote control of the transmission computer or turn off the engine remotely while I’m about 1/2 way through passing a semi-truck up hill in the mountains…

I’m sure eventually this particular bit of stupidity will eventually pass, but “until that day”, I can decline to participate… Just say “NO!” to the “smart grid”, and “smart appliances” and “smart cars”, and internet connected everything. They are just a dumb idea…

38 Responses to Why I like dumb appliances and cars without computers

I very scary world we are heading to. I spent my whole life designing electronics, but some things just don’t need to be smart.
I think you just pointed out an area of opportunity, design hardware and software that counters everything they are trying to do. Make a little firewall box that allows anything internet to be turned off. Possibly make packet parsers that change the packets, if possible. Have it app capable so that someone can write a security application and sell it. There are a lot of holes, but a decent could be a hit. The procedure for turning off Toredo tunneling is scary to a lot of users, sell an app for a dollar and there will be a lot of buyers.
Everyone seems intent upon knowing everything about you, people need to fight back and put up barriers.

My power company already has remotely read meters and grid control – but isn’t yet developed to the point that it is truly a “smart” grid. I can see the signals on my natural radio connected to Spectrum Lab – I heard them before connecting to spec lab, but figured out what they were when watching on spec lab. I’m with you all the way on this. I don’t have a smart phone – right now, don’t have a mobile device at all. I think it should be fairly simple to filter out the control signals from the house wiring.

About 50 years ago, my Dad bought a sign for our restaurant. While “kicking around” at The Sign Guy’s Place, he had some old neon signs he was parting out / trashing. Picked up 2 transformers. One 12 KV, the other 15 KV. About the size of a long skinny toaster… I.e. big and heavy… Makes a nice Jacobs Ladder! BIG ceramic insulator on each end, with a bolt. Just add coat hangar wire. (Salt water rub makes a fat yellow arc ;-)

Gave one to a friend (also an electronics geek). Kept one. In the garage somewhere….

The “fun bit” is that you can current limit the input ( I used to do this with an 18 vac model train transformer) and get a couple of KV out of it at very limited current. Just The Right Amount for causing some things to fry, and not others, while leaving little ‘evidence’ in the way of arc and spark marks ;-)

Or send it into a spark gap with various coils hung off of it to fuzz up some particular bit of spectrum. Now I’d likely make a broad spectrum fractal antenna, but back then I used thought about using the 40 foot tall TV antenna tower (lead in for long frequencies (strap the ends together) or top hat (TV antenna) for higher frequencies…

As Scotty said ~”The more complicated the machinery, the easier it is to gum up the works!”…

Nothing like 100 W or so of 12 kV spark gap and a bad broad spectrum resonator / antenna to quash signals… (Though FM was much more immune, it played Hob with any AM signals for a long ways around. Even the TV ‘had issues’ with the right kit…) Now, with things in the GHz range, it would likely need more ‘tuning’ ;-) Or just pulse a few kV into the house wiring when the stuff you care about is unplugged ;-) Do it during a local lightning storm for plausible denyability ;-)

@BobN:

Maybe…. but I’ve spent most of my career being Casandra and trying to convince Management and Users that they didn’t want to do Some Stupid Thing for security reasons. Generally nobody really cared. Just wanted “new features!!!” damn the consequences.

@P.G. Sharrow:

Like power companies being subject to hacking attacks: What On God’s Earth are they doing having generation plant connected to the internet at all? Or dams, or whatever. A leased line is Dirt Cheap for whatever control / communications they need. I know, I’ve bought and configured a lot of them.

Some times I wonder if they are deliberately Doing Stupid Things to justify the “security” needed to “protect” the stupid… I then sooth myself with “Never attribute to malice that which is adequately explained by Stupidity; and there’s a whole lot of stupidity in the world. -E.M.Smith”…

But really, you will hear a Whole Lot about the need for all kinds of intrusive Cyber Security crap in the near future as a whole lot of intrusive surveillance stuff is built. When all that is really needed is a bit more use of “air gap security” at critical facilities and a bit of leased lines when more connectivity is really justified.

IMHO, EVERY damn, power facility, airport radar room, police communications facility, etc. ought to be Air Gap from the internet for any critical gear. With internet access on separate equipment in a dedicated room only. Military too.

Frankly, the way banks are letting anyone and everyone move money electronically is just asking for a profound failure. So now a photoshop of a check is enough to make a deposit (thus a withdrawal from someone else)? So do $2000 / day for a month then close the account. That’s $60,000. Done as 100 x $20 checks, by the time folks notice, you’ve ‘moved on’ to another bank. Who’s going to chase down a $20 hit from a bank in Bangladesh, anyway? Cost more than that for the phone calls… How many times can you do $60,000 a month? Probably forever…

Oh Well…

I expect there to be a thriving market in old and stupid appliances. I know I’m going to keep my “dumb cars” for the rest of my driving life (then give them to the kids…)

Well, back to looking at code…. Found an interesting Linux release that has built in clustering facility (Mosix kernel) with financial data scraping and analysis software ;-) Debian base under it, IIRC. So looks like another interesting thing that could go onto a Raspberri Pi ;-)

Booted Puppy on my Vectra (with floppy drive) and it had working internet, so past that issue. On to the next steps…

I’m thinking of making a Linux distribution deliberately “tuned” for security. So specific LiveCDs for particular appliances, and a ‘tightened’ one inside a VM for the ‘desktop’. We’ll see if it’s too much work for one guy or not. Instead of running, for example, Bittorrent, on your primary machine, it’s just a CD and a thumb drive you stick in the box. Hardened kernel, stripped of any software not needed / used by the torrent client, and no shell, just launches into that client. So all it knows how to do is torrent…. When doing downloads, you stick in that CD and USB drive and it goes. Otherwise, they get taken out… Not much chance for compromise or exploit there. Move the files separately to where they will be used (and rescan for viruses…) and away you go… Repeat for dedicated: Firewall, file server, email client, browser client, etc…

Probably ought to dig out my radio gear and figure out a scanner too ;-) Someday folks will want to do things like listen to the neighbors fridge to know when they have gone on vacation.

Sigh. I really really don’t want my TV talking to anyone. Signals ought to go in to it, not out…

Given the amount of control GPS and computerised cars offers government and law enforcement, I think we are a long way off the impetus-from-the top-down reversing on this one.

Imagine if you will a penalty system that presently relies on mobile police units, cameras and radars, moving to….

one whereby the car knows where and how fast you are travelling at any time –

so that if you make a minor infringement – the fine is printed and mailed automatically.

This still is probably too much turn around time for cash-strapped governments. So the next step will be to link a car registration to a bank account as a default. Like automatic electronic tolling facilities. Car detects you making a minor infringement, and the account is debited automatically, and you can try and appeal to get your money back later ( good luck with that one );

For major infringements ( high speed, erratic driving etc ) expect the car to signal your location for immediate attention by the authorities. This will be the safety angle that will drive wide-spread requirements for ‘smart’ cars. ‘Think of the children, Homer !’

I’ve also seen the scientists proudly show that you can control your house remotely using a mobile phone, and wondered just how dumb they must be to want to expose such a lot of control to anyone anywhere in the world. There are a lot of very bright hackers (used to be that a hacker was a very good programmer – now it’s someone with criminal intent in mind) who can find a way round code produced by paid-by-the-line programmers.

Of course all this CIA surveillance is done with the best of intentions to save us from the next terrorist attack, but it’s the old question of who watches the watchers.

“Imagine if you will a penalty system that presently relies on mobile police units, cameras and radars, moving to….”
The Netherlands are way past that since about 5 years now. Actually the fines revenue is already factored into the fiscal year budget. If the fines get lower in number, the fine gets higher.
Just recently they doubled some fines.

France has taken over this concept and had the dutch help them install the same system. First year out the had 600 million euros with only relatively few cameras. The Netherlands gets that amount easily with only about 5 million drivers.

“Ultimately, the car computer simply will not allow you to exceed speed limits, pop illegal turns etc.”
Funny you should say that. Such a law is on the shelves in Europe, to force carmakers to have remote controlled speedlimiters in their onboard computers since about 10 years now.

The only things holding it back are the vast investments in infrastructure, but the idea was indeed to equip all speedsigns with a transmitter emitting the maximum speed.

Another one is to have a police controlled override to your car systems, like braking , throttle.

@P.G.: I would call it, instead The Mark of the Big Idiot as none of these gadgets may touch our Being, really. However the real issue about these is its “trick” of attracting our “attention”, which is, believe it or not, part of our life´s energy, driving it away from ourselves and hence preventing us from evolving in every sense properly as human beings, so becoming dumber and dumber every time. (Just to put it simpler: Do the kids now read more than before these gadgets appeared?)
Our @E.M. remember us of those america indians, who, back in the 1800´s refused to be photographed, as they said it took their soul out from them.

@petrossa
Strangely in the US there are already insurance companies offering devices that plug into your car to ‘monitor your driving’ and report back to the insurance company which can set your insurance premium based on the electronic snitch. I was told 15 years ago by an automotive engineer in a networking course that the (then) modern cars had up to 5 computer systems. Caused a bit of a problem with one well known European manufacturer when the braking computer had issues with occasional unfortunately-timed speed-trap radar transmissions (especially when the car concerned is traveling a little fast and needs to brake hard )

Another point not mentioned is the huge vulnerability to EMP or another Carrington Event even if its not powerful enough to knock out the main power grids all the little smart chips could be fried. Its bad enough after a hurricane to be out of contact for 3 or 4 days while the connectivity is restored but the effect on a large town of such an event if even standby power won’t wake refrigerators/heating/air-con water and sewage pumps etc etc., would not be nice. The same effect could be gained by engineering a date switch or similar trap door in the chips. I worked on one chip that for thermal testing had a hidden microcode instruction where it did repeated floating point ops from its internal registers till it ‘melted’. So I think that this is as much a national security issue as a domestic intelligence issue.

One other slight problem would be if Micro$oft programmed your car. It would be continually being “upgraded”. If the engine didn’t start first time you’d have to get out, lock the door, walk away at least 10 yards, unlock it, get in again and put the seat belt on before it would try again. It would also probably have a voice telling you to shut the door properly next time to avoid these problems (it’s your own fault that it failed).

A bit more seriously – Ian W has a good point. We don’t know the back doors into the current series of chips and software. I’m sure any chip that’s complex enough has a “back door” that only the designers are supposed to know. It seems to be an item of pride to add an easter egg into any big project. Petrossa – a bug in the software limiting the speed of your car could be a major problem, as could the equivalent of the “jammer” used by crooks to inhibit door-locking by remote control.

Anybody else find it amusing that people who’ve worked a while in computers don’t get all the latest networked gizmos?

I drive an older car without all the bells and whistles, Non of them have the Black box in them. If you have a newer car can you take it off or disable it or has our intrusive government outlawed such actions.

You’re onto something Chiefio, I think. I continue to drive my faithful 20 yr old car because I’d prefer not to drive one with a computer and lots of wizbangery in it. Complexity gives more fun bells and whistles (which I wouldn’t use anyway), but it also gives more things that can go wrong. My dad had to replace the computer in his car last year at cost of $2000.

The interesting next question is Google’s push for computer driven cars. I wonder how long before the first lawsuits for injury compensation blaming the software. Could get very expensive for Google, since there is no way that their software could be proofed against all possible road situations (and map issues).

@ Simon Derricutt says:
22 October 2012 at 9:25 pm
>One other slight problem would be if Micro$oft programmed your car. It would be continually >being “upgraded”. If the engine didn’t start first time you’d have to get out, lock the door, walk >away at least 10 yards, unlock it, get in again and put the seat belt on before it would try again. It >would also probably have a voice telling you to shut the door properly next time to avoid these >problems (it’s your own fault that it failed).

Heh – I had a car one time that had to be treated that way when the car alarm got confused. I was on the phone with my mechanic (a/k/a “tech support”) while he talked me through what I had to do.

>A bit more seriously – Ian W has a good point. We don’t know the back doors into the current >series of chips and software. I’m sure any chip that’s complex enough has a “back door” that only >the designers are supposed to know. It seems to be an item of pride to add an easter egg into >any big project. Petrossa – a bug in the software limiting the speed of your car could be a major >problem, as could the equivalent of the “jammer” used by crooks to inhibit door-locking by >remote control.

Way back when the DOJ went after Microsoft, I got a sneaking feeling they were coercing them into doing stuff like (back doors).

>Anybody else find it amusing that people who’ve worked a while in computers don’t get all the >latest networked gizmos?

Hoo-ha! That’s me. I have been using a paper Day Timer since 2000. ;-) Also, every time they upgrade my OS and/or email at work, they lose my archives. So I just print out the stuff I know I will want to look at later.

Hey, I heard that an old diesel car or pickup without electronic ignition and all that sort of stuff will continue to work even if there’s an EMP. Anybody know if that’s true?

I read somewhere not long ago that the digital TV stuff was put in place in order to have bandwidth to do surveillance. There’s your two-way TV like in George Orwell’s 1984. So, where would they put the device (camera? microphone?) anyway? Is it in the TVs or in the converter boxes? I have stayed away from the new flat screen TVs because they won’t fit in my entertainment center. I refuse to buy new furniture just to have a more enticing device for wasting time. (I heard someone say one time that they find HD really engrossing. They sat and watched golf for hours one day – and they don’t even like golf!)

Isn’t that ironic? Back in the early days of TV, there was likely to be something on that was worth watching – but the technology was punk. Nowadays, the technology is amazing, but the programming stinks.

Regarding the cars that are controlled by automation to prevent speeding and such – I have trouble believing that will happen because speeding tickets and other moving violations are such a money-maker for the PTB. I mean, the people with the power and money seem to be prodding the populace into making even worse decisions with their lives. Or, if you can make a criminal out of a regular person (overnight, by changing the rules) then you have a new source of revenue, right?

Why, look at the price of gas! Back in the 1970s, when it went from (in my memory) 25 cents a gallon to 70 or 80 cents, they lowered the speed limit to 55 mph. That saved gas and lives. Nowadays, you’ve got your greenies screaming bloody murder about running out of oil, but the speed limits are actually higher in many places than they were before the so-called “oil crisis” of the 1970s. And why do they think people will trade their paid-for “clunker” for a car that costs so much more and only gets around 30 mpg. On the highway, my 21yo car gets 28-29.

It seems so illogical to me. If we really were running out of oil, why would we waste it building wind turbines that cannot replace the energy-generating infrastructure that we have currently? Why waste it on converting food into ethanol? I am about to decide that the abiogenic oil theory has proven itself out, and the oil companies and governments know it, but it would cause the floor to drop out of the economy if oil became as cheap as water. So they trump up all these silly schemes to scare people into spending megabucks on stupid electric cars that won’t even get many of us to work and back home the same day without charging as many hours as you work (or more). And talk about energy inefficiency! Any time you burn so-called fossil fuels to create electricity, you lose some. Then you lose more when you transmit it from the generator to the user.

Hmmm…I have diverged from the topic. OK. I could talk about how risky it is to depend on drive-by-wire cars and fly-by-wire planes. Personally, I think the accelerator problem in the Camry is caused by a vulnerability in the drive-by-wire system. I know the folks who design them have to say they are fool-proof, but they only know what they know. And how about that plane crash off the coast of Brazil, after a major earthquake and near a thunderstorm (both electrical events). That Airbus A330(?) seems to have a vulnerability to rogue EM emissions. I’m sure I have read other stories about crashes or malfunctions that deal with electrical stuff not working as planned.

I think there’s more to electromagnetism than we have mapped out thus far. And as we get closer to the galactic plane, I suspect we will see even more anomalies. From what I am seeing now, we are just swimming in a sea of electromagnetism – not much different from fish in water. Do fish know they’re wet? Do we know all there is to know about electromagnetism, where it comes from, and what it can do? We’re pretty dadgum dependent on keeping our electric toys working “just so”. But I say we had better retain some non-electrical skills because it wouldn’t take that much to shut it all off in a hurry. Just this last month, our power went off for several hours. I had been playing my digital piano at the time, and I wasn’t ready to stop. The lights went off, too. So I got out my orchestra lights and clipped them to the top of my 101-year-old Ivers & Pond piano and continued to play. (Stop me if I’ve already told you about that.) My upstairs neighbors later told me they enjoyed it when I kept playing. :-)

National Security? Did someone say “National Security”?? I smell $$$MONEY$$$….;-)

Remember ‘Railroads’? Different guages at borders? Heck, they even had different guages on railroads within the same country. Now… how to put a ‘guage’ on an internet circuit?

Seems like the ISP’s and the main international hubs (how many are there now 12-16?) are the crux of it for the BIG international issues. But within countries it’s gotta’ be the ISPs, right? You don’t suppose Congress is going to fix things the way they did with AT&T, do you? Imagine, black, dial-up, hard-wired computers from MaComp, uckkk! Poor Apple? Is it too late to Federalize Microsoft, or did they do that years ago and just never tell us?

Yep, I’m another one who wants nothing to do with all this “smart” stuff. Back when I bothered to run a car, it was the bag of spanners in the back, plus a bit of knowledge, that got me going again when something broke, not “hundreds and thousands” down at the local Manufacturer’s Approved Dealer. As the “ifixit Maker’s Manifesto” says, “If you can’t fix it, you don’t own it”. ( http://www.ifixit.com/Manifesto – should be a copy in every workshop.)

The EU is busy mandating bucketfuls of the smart stupidity into vehicles at the moment – I read somewhere recently about a proof-of-concept attack which (from a pasing car) wi-fi’ed into the tyre pressure sensors, and from there into the main onboard controller, just like that. As it was academics rather than assassins, they stopped there, but … Makes you shudder to think about it.

They’re ahead of you on keeping “unhackable” vehicles on the road, too. The same EU is contemplating a law that will say that, if any part of your “legacy vehicle” is not exactly as per its original showroom condition, then it’ll be illegal to use it on a public road. Modern tyres? “Inauthentic” parts in the engine from some long-forgotten repair? – Gotcha. So you drive a trackable vehicle, sunshine, or you can walk through the CCTV-infested streets or use CCTV-infested public transport and get tracked that way. Old hat to call it Orwellian, but I can’t think of a better word for it.

What we want to get into the public consciousness is a very simple message. Each of us should trust the government precisely as much as the government trusts him (or her). Here in the UK, the appalling density of cameras on every street, the latest HD ones being able to put a recognisable picture of your ugly mug into its facial recognition software from half a mile away, not to mention the number of databases (kept for years) about every action that can be monitored, shows me very clearly that we’re not trusted an inch … and that’s precisely how much I trust “my” government. It’s shocking that it’s come to this, but I’m not going to prevaricate about it: the modern Western government is, quite literally, the enemy of its people.

About the only plus point is that there are a heck of a lot more of us than there are of them, and just as clever (at least, until crappy modern education takes its toll). EM, when you get those live CDs going, please make a kit version so I can work out a way to plumb my wifi dongle (OK, OK, I know …) into one before burning it – and don’t forget the encryption! Oh, and we should all join and support Freenet – https://freenetproject.org/ . Maybe that should be built in, too.

Back in the early 80’s I was working for a big company on a design team that literally held the fate of the company in their hands, they needed the product to work and ship to keep them afloat, they were over extended to the max. We had daily status meeting, to the point of being ridiculous. We noticed that management seemed to know things as fast as we did, so being a bunch of paranoid geeks we all stayed very late (pretty normal anyway) and went into search mode. Yes, boys and girls found bugs up in the ceiling of strategic offices and computer room locations. We were monitored to the max. Our first inclination was to rip it all out, but we decided to use it a bit. We purposely would hold phoney conversations and say all kind of things to twist them in knots.

After a while this got old and we sent an anonymous letter to the president telling him we were aware of their illegal transactions and demanded they be removed or legal action would be taken. We gave them a deadline of a week. We then had some real fun, we were practically working around the lock, but we made sure someone was always in the offending areas. We challenged any new faces as we worked in restricted areas. We were all treated to a “Long lunch” based on a phoney milestone. When we got back the bugs were gone, they took the threat serious. It was amazing how our once all knowing managers got dumbed down. As it turned out we delivered a great product and the company turned the corner and survived the cliff.

Another incident occurred about a year later, the company started a big new project as a partnership with another company. At a company all hands meeting the president told about the project and boastfully stated that everything was top secret and it would be impossible for anyone to get access to the technical documents as they were all secured by state of the art computer methods. When he said that a few of us looked at each other and knew the gauntlet had been laid.There were 4 of us that worked all night! We got in the isolated mainframe within an hour and found the documents in question within another hour. The hard part was the encryption, but one of the guys, that was his hobby. We printed out said documents and piled them at the presidents door with a nice note. Security is only as good as the lack of motivation by others to get access.

Great stories! Whenever I’ve discovered monitoring, I’ve used it as a method of ‘inserting noise’ and then seeing what reacted ;-)

Once, at Apple, they were having massive layoffs. About 4000 IIRC. We had to ‘close all their accounts’ on the Engineering machines. HR would NOT give us machine readable data. We were ONLY given printed names on a horrible Oxblood colored paper. Trying to even READ black ink on Oxblood was an eye killer. Expecting to get it all exactly right, the accounts closed BY HAND, and inside an hour or so with a staff in the single digits was nuts…. So….

One of my guys worked out the settings on a scanner to up the contrast and lose any “red”. Another did the OCR to text. Then we spit up the scan into groups for each person on staff to QA the result. Inside one day we had it as machine readable and QA’d. Had the scripts written to close all the accounts at the same time via one button push too. At the next days meeting I handed a magnetic media copy to HR and asked them to “please check that we’ve got the list right, as that oxblood paper took a hour or so to work around”…. In later layoffs they gave me machine readable copy ;-)

(Why did they do it? They didn’t want unapproved copies leaking out. This was a preventative against the typical photocopier and email… Never mind that we did all sorts of “high security” stuff and were trusted with secrets worth $Millions… Oh well. “We made our point” ;-)

“It’s a very bad idea to annoy the hacker. -E.M.Smith” ;-)

@Steve C:

Lucky for me I don’t live in the EU. Hopefully we will shortly stop emulating “a decade or two behind” and start running the other direction “Real Soon Now”…

@Pascvaks & Power Grab:

Part of my ‘resistance’ to Microsoft is that there was a point just about the time of the suit dismissal when they started having “strange decisions” on some things. No proof, but the rate at which “holes” showed up and “bad security” was being built in from the get go was higher. I suspect that a TLA “asked for some favors” and got them. Either that, or MS programmers are incredibly dumb and have no interest in security… We’ll see…

I’m not the only one, BTW. Loads of “geeks” embraced Linux for just that “too full of holes” response to MS…

My “LiveCD” system will come with full source code and a DIY option kit… Only way to assure it’s not buggered too…

@All:

There’s a reason I have 2 Diesels that have no computers at all in them (and one with a carb and no computer… another has a ‘computer’ like object but it’s a hydraulic/fluidic/pneumatic thing that drives the fuel injection… one of the last ever made, and the best IMHO.)

I’m planning on driving only them until I can drive no more.

@Myrrdin Seren :

Part of why I don’t drive on “toll roads” that use transponders in the car. It’s just a tiny bit of software to “you entered here, then, and exited there, then, so your travel time says you sped. Here’s your fine!”. That, and I don’t need to be logged in my movements…

@Simon:

Some of the dumbest folks I know are some of the most educated… ( I’ve also known many smart educated folks, but that takes special effort, IMHO.)

Why don’t I embrace the “computerized and network everything”? Too many late nights trying to fix broken crap…

@Jim2:

Like things programmed by Micro$oft… On one occasion, while looking up a ‘dualing gateways problem / bug’ on the MS website, I found the phrase “This behavior is by design”. Just about tossed it… If you set two “default gateways” on a MS box, it swaps between them about every 20 minutes. The “client” had done this with a mail gateway. It would pick up mail for about 20 minutes outside, then deliver mail for about 20 minutes inside. “Sort of worked” but with 20 minute lags as one side broke, then the other. After days of trying to convince ‘their guy’ he was wrong (and MS saying it was a feature) I finally set it up right and things worked FINE. There ought to only be one “router of last resort” default gateway. Then you make table entries for any ‘special’ networks ‘inside’ that are not discovered via ARP or similar…

Took much longer to convince them that ‘dual homed’ mail gateway was just a giant bypass of the “firewall” box and it really needed to be single homed and inside the firewall… Some clients take more time to teach than others…

So no MS car, ever.

@Adolfo:

Fished out of SPAM queue. No idea why…

I wonder if I can get a Native American exemption from photo surveillance as a religious issue ;-)

@Ian W:

Somewhere there’s an archive of interesting ways software can break hardware. One I remember was a big old dishwasher sized disk drive where the proper repeating sequence of seeks et. al. would burn it up ;-)

Yes, there are people to try to find such things ;-) (Say, this spec sheet says 50% duty cycle, what happens at 90%? ;-)

@John Silver:

Had to look up Eric Blair… Orson Wells…

@Ian W:

As the body is a Faraday Cage, I think the EMP fears are overstated for cars. Then again, more are getting plastic body panels and added antennas… “We’ll see” comes to mind ;-)

Then again, they are making more things like sensors in tires for pressure that are not shielded and cars that won’t go if anything is reported wrong….

My car will go anyway. I have a tool box and know how to fix it…

@Bruce of Newcastle:

Had a friend complaining that the fancy computer door unlocker electronic ‘not a key key’ dongle cost something like a $kilobuck to replace… Sticking with metal keys for me… If I lose a key, don’t want it to cost a $1k…

My mechanic complains like crazy about the new GM electronic computer driven transmissions. If it slips, it shuts off. If you wait, it will work again and you figure ‘no problem’… after something like 3 slips, it blows it’s brains out so you don’t keep driving it. Couple of $K for a new one… You are supposed to ‘just know’ that if it warns, that’s a ‘going to commit suicide if you don’t call a tow truck’. If I’m wounded in the forest, I do NOT want my car deciding blow it’s brains out and strand me as it might damage the transmission to limp to the hospital in it….

@PowerGrab:

I had an old International Harvester Scout with a Diesel that didn’t need any electrical system at all. Once the alternator gave out. Didn’t get around to fixing it for a few months. I’d put it on the charger at home every couple of days. Start it, then turn off the key. No electricity needed (you had to pull a cable to stop it…). I’d turn the electricity back on for turn signalling ;-) Only good for about 4 hours at night, so didn’t do a lot of night driving ;-)

The Mercedes has a pneumatic switch, so I can’t turn the key off; but it can suffer electrical failure and keep on working… Newer more “modern” Diesels have all sorts of added electronic control crap and even piezoelectric injectors. No electricity, you have a brick…

Airbus vs Boeing is a ‘hot topic’ among pilots. Airbus goes for way too much automation. Plug up the pitot tubes and you find yourself fighting a computer “that knows better”… Thus the crash off of Africa. Boeing thinks the pilot ought to be in charge (but pilots can screw up). Take your pick…

FWIW, many facial recognition systems key off the eyes and brow lines. So get fat sunglasses and a broad brimmed hat. I’m thinking of wearing my Motorcycle Helmet in the car “for safety” ;-)

Oh Well…. If it gets bad enough I’ll just get a boat and head out into a lake somewhere… I like fish…

EM – you may have misunderstood. I also have a dumb diesel car and only connect what I really need to the outside world, having worked in various computer-related design for a long time. I like things that are only just complex enough to do what they are designed to do. Apart from the problem of what happens when the car’s computer notices a fault and won’t go without expensive TLC, the replacement parts are so expensive – whereas I know the ex-factory cost can’t be more than $40 you’ll be charged $1000.

Personally I’d reckon the pilot would know best, and since there are two pilots you have a much better chance of not crashing.

To fool the computerised facial recognition, you’d also need false ears and cheekbones.

“Lucky for me I don’t live in the EU” … Stay on the qui vive though – these government types are all very matey. We had a Chinese team came over a few years ago to learn from the London authorities how to do CCTV “properly”.

@Simon Derricutt – re false ears and cheekbones, there was an experiment in Germany a couple of years ago where they managed to foil facial recognition by painting their faces with bold geometric patterns which made Ziggy Stardust look pretty conventional. Mind you, as a no-longer-young-enough-to-get-away-with-it male, I’m not about to try it. High power IREDs, now …

I was giving a general description of the Boeing vs Airbus “issue”, not directing it at your statement in detail. It is a controversy among pilots as the two makers have taken opposite positions.

AirBus puts the computer in charge and the Pilot “makes requests”. The push is to automate as absolutely much of everything that the pilot might do wrong to protect you from human error. Most of the time the plane can fly itself. Just one of the ‘issues’ is that ‘time in seat’ is no longer ‘time flying airplane’. Many pilots end up entirely unprepared to actually fly the plane as they have been conditioned to set a goal and let the computer do it. To the extent the computer never fails, you never have a crash. Then we had the pitot tubes plug up off Africa and the plane crashed. The computer was doing wrong things (as it had wrong data) and the pilots were too ‘out of practice’ to figure out what to do to over ride the computer AND figure out the real problem AND fly the plane without decent instrument data…

Boing puts the pilots in charge and the computer “makes suggestions”. The autopilot can fly the plain from takeoff to landing, but the pilot can over ride at any point. Works really well when the automation ‘has issues’ as most pilots DO like to fly, so often do things manually. Then you have cases like one recent one (I forget the details, even if it was Boeing or Airbus – might even have been that Africa crash after they got the computer out of the way). Airplane was in a stall and doing a fall from the sky. Pilot and co-pilot each to opposite things with the controls. The way it was configured, the wrong guy ‘won’ and no stall recovery was done. (As I think about it, I think that was an Airbus… IIRC the Boeing has either “Pilot wins” or the controls are coupled so you know you are fighting the other guy and a verbal override can happen ;-) At any rate, the point is, that with manual control, you can have ‘human factors’ crashes.

Which one is ‘better’? Who, or what, do you trust more?…

Oh, and I love the little ‘windmill’ that the Boeing deploys in complete power failure. It uses forward motion to make just enough electricity to power the basic gear in the cockpit. Nice. So there was that Boeing plan that went through a volcano ash cloud. Crapped up the engine and all of them went out. Pilot flew for some ‘long way’ as a glider with only the windmill powering things. An Airbus with crapped up sensors would likely not have survived… The pilot eventually got the engines restarted (likely as they cooled, the ‘ceramic’ ash coating fractured and fell of things inside the engines enough to restart). Eventually landed (standing up!) looking out a 1 inch or so band of un-sanded wiindshield where it met the frame…

Yet every so often a pilot does “something stupid” and a crash happens.

So there isn’t a ‘right answer’. As long as the computer is in good shape, and has good sensor data, it crashes a bit less than human pilots. When things go “very bad”, the human is much more adaptable (as long as the hardware / software allows it and they are ‘in practice’). Which do you want more of? Day to day a little better, or the rare and unusual being more survivable?

Me, I like the Boeing approach. “Someday”, the computer driven plane will be superior. Now we’re ‘in transition’…

Per “ears and cheekbones”: The cheekbones along are not enough (broad glasses prevent the reference points and the mustache covers the lips ;-) while for ears, just grow long hair ;-)

As of now, facial recognition takes a face. For “forensic use” and ear print / photo or even a ‘lip print’ can be used to establish a particular persons identity (AFTER they are identified in a detailed photo elsewhere) but are not enough for computer recognition. In a few years? Yeah, things will be different then… Burka and Sunglasses then…

@R. de Haan:

Interesting service. Only “issue” with such central services is that they are subject to subpoena and government warrants… or TLA activities. So it’s a ‘nice to have’ but for serious things I’d want a private distributive layer like Onion Routing. For what I do? Hey, it would be more than enough… Looks like it would also let you get past ‘country blocking’…. Nice.

@Adolfo:

Much as I love the “good old days”, the modern era also has ‘charms’. My dishes can wash themselves. The oven calls me via a bell when the time is up and can start / stop on a preset schedule. Heck, while I dearly love my slide rule, the calculator does not send me looking for my reading glasses and does a zillion digits of precision… I’m more for “use each as appropriate”…

@Steve C:

At the local store they were selling “drones” with built in camera for about $600. Decent radio range too. While I didn’t think of it at the time… your comment… well… outfit one with a nice little laser and radio link targeting… “What was the last thing the camera showed, Officer Bill?”, “Um, just this toy and then it got bright and white, then black”… Mass produced and likely impossible to identify from a photo…

Heck, maybe just equip it with a paint-ball gun ;-)

What technology taketh away, other technology giveth back ;-)

A friend teaches high school kids robotics. They build and compete with personally made robots. Each year the ‘task’ is different. Maybe I’ll suggest “climb a pole and paint a target” for next year ;-)

@R. de Haan:

A friend who worked in the spook electronics field for a while has a great story of how their radar would read reflected signals (all while being a passive listener) and know what direction Soviet Radars were ‘looking’. When the ‘trawler’ was pointed at them, THEN they would send something like a 10 kW pulse right down its throat. Said you could see smoke come from the “radio room” some times ;-)

FWIW, it’s nearly trivial to make an EMP bomb. Large electric current through a coil, then set off conventional explosives. As the metal wires move, the electrons “have issues” and end up leaving in a big EMP.

So “for a paranoid time”, ask how easy it would be to make one of these in a rented office in a high rise building with lots of glass and a great big power feed. No need for mobile power supplies or fitting it into a ballistic envelope…

Don’t know how much stuff it would take out, but I’d not want one going off with a ‘view’ of my computer room nor of the power lines leading to it…

Put one in a semi-truck and it’s almost as easy to build and power it. Wonder how close to the various “places of interest” the freeway goes…

Thinks I ponder when trying to figure out how to defend against them… (lots of rebar in concrete below ground with power cleaning / isolating gear and optical couplers in the data feeds…)

Yeow, you guys are paranoid beyond reason, IMHO. Yes, being connected gives others the capability to listen in/ monitor, etc. That’s not new as a state of affairs. In the “old days,” someone would have to talk to someone who saw someone…. Then, we had phone records, credit card records, etc… The issue is not can “they” monitor you. They issue is: what kind of a society do we/ will we live in that we should be worried that will happen in a way detrimental to our interests. THAT’S the real issue, not whether “they” can monitor…

Just like any technology can be used for good or ill, from knives to guns to, whatever, “going Luddite” doesn’t make anything better.

As for “bad guys” (as opposed to gov’t, who I will assume for the purpose of my argument are the “good guys”), yes, we need ways to protect ourselves (locks on doors, etc.), but we all know the best protection is a police and court system that catches most of the bad guys and makes the expected value of their criminal ways unattractive for all but a few of the least mindful, thus minimizing the likelihood that bad guys will do bad things.

So, I say, embrace your smart phone, your two-way internet-connected computer and TV, etc., but be very vigilent and active to ensure we have a political system that does not use those technologies against the legitimate interests of its citizens and that finds, catches, and punishes the bad guys.

Crawl into a technological cave if you want, but I don’t think that’s a healthy response to the forward momentum of human development.

My son calls me a Technophobe because I avoid the newest gadgets. I built him his first computer and set him up with a Bulletin Board System on the tell-co before the days of the WWW. I believe the Internet is the greatest invention of the 20th century. but I don’t need all the toys that that entails. The computer is a wonderful tool but also can be a huge time waster. And an invader of my privacy. At one time I was a very good car mechanic but now much of a new car cannot be repaired and I am not permitted to work on them without government permission. I don’t want to break up the new toys but I also don’t want to be controlled by them or by self appointed masters. pg

The problem is not “paranoia”, the problem is a long history of ABUSE of power by governments and management folks. We are adding “powers” faster than we are adding “limits on abuse”. That never ends well.

Oh, and I’ve been involved in security things from the White Hat side for a long time. I’ve seen the abuses of the system… From two cops pressing a guys shoe into the dust behind our restaurant to get a better ‘casting’ (they used it to badger him into a confession – lucky for them it didn’t have to go to court…) to me installing monitoring equipment to catch a janitor employee who was stealing things. While I never got him ‘red handed’, I was able to “finger with high probability” to his boss who “moved him to another site” (or more likely just fired his ass…)

So given that I’ve used too little evidence to indict someone, and over a couple of computers worth maybe $1000, what are the odds that folks with $Millions or $Billions on the line will ‘bend morality’ a little? Hmmm? How big a ‘business’ is it, collecting “fees” for parking and velocity? How much can be made as a “Lawyer with a reputation for catching the spouse cheating on film”? Think photo mills won’t pay for drone pix of ‘names’? Think neighbors with a ‘grudge’ won’t pop $500 or so for a ‘personal drone’ to try getting compromising pictures or information about the ‘neighbors’?

Simply put: I’ve SEEN that human nature is such that ‘morality’ goes out the window once they are P.O.ed at someone or a large chunk of cash is under their nose. ~”Eternal Vigilance is the price of freedom” (or some such).

It is not paranoid to think that human beings will act as they have always acted.

Oh, and you are aware that right now Banking loses a few $Billion to electronic fraud? No? They don’t talk about it as it might discourage folks from using all those nice convenient “on line banking products” that cut their labor costs by even more. I was hit for $39.99 and $9.99 (as a pair) each month for 3 months. Didn’t notice until month 3 and then asked the spouse “what’s this?”… not her. Went to the bank. THEY could not tell me who they had given my money to other than it was an on-line site named “Inter-trans” (that exists just to ‘launder’ money from banks to ‘others’, IMHO). Talking to them, THEY would not tell me to whom they had given my money nor reverse the charges. “I need to talk to the folks who’s services I bought”… Which is fine, had I any clue what services and from whom they were bought. Long story short: After enough badgering and going a couple of folks up the ‘management food chain’ the guy said he knew that pattern of $9.99 and $39.99 was a porn site and implied it was likely some family member. I pointed out: 1) It wasn’t me as I know me. 2) It wasn’t my kids as they were just out of diapers. 3) It wasn’t my spouse as she doesn’t even like beer in the house nor strong words on TV (Disney is generally acceptable…) Only then did they decide they could (maybe) reverse the charges… How many folks would push that hard over little charges?…

(The ‘answer’ is likely that I’d paid for carpet cleaning at a rental home with a check. As all it takes now is ‘some personal information’ and the transit routing number from the bottom of the check to ‘sign up for automatic check payment’, and as all my other checks had been to things like Gas & Electric or The Bank house payment, I’m pretty sure that was it. He had name, address, phone, transit number. I think that’s all it takes…)

Oh, and I’ve had at least 3 attempts to “take over” my newest laptop. Each time I’ve ‘recovered it’, but then again, if the attack were a more subtle one, I’d likely have not even noticed…. On the desktop side, I’ve noticed the “blinky lights” on my internet box blinking when their ought not to be any traffic (ALL internal systems down). It didn’t do that when first installed ( I set a baseline). SOMEONE is knocking on the door… Regularly…. Could be that they have already put a ‘catcher’ on one of the boxes and are trying to reach it to pick up some info. Could be ‘tools’ just trying to break in. Don’t know… (That’s part of why I’m going to ‘the next level’ with ‘disposable systems’ from CD ROM or locked USB drives.)

In short: It’s not paranoia when they are out to get you. And they are.

I’ve done enough work in security to know that the Russians and the Chinese have large well funded operations to break into computers and ‘steal stuff’. Anything from information to real money via electronic accounts. The current take is measured in $Billions / year. That’s what is KNOWN as actual money taken.

I KNOW that Onstar is available to law enforcement. Think every cop is clean, moral, and honest? Really? (That’s why we are supposed to have a Judge issue warrants… but now that we have ‘warrantless search laws’ and ‘self issued warrants’, that check-and-balance is out the window…) I’m not interested in having MY car subject to being shut off by others, having microphones turned on remotely, having the doors unlocked remotely, etc. Either by police, or by “foreign nationals”… (I worked at the company that invented the technology inside OnStar, btw, and know how it works… I was at the Director level. )

In this case “going Luddite” DOES make things better. MUCH better. I don’t need to be walking around with a GPS tag on my belt and a mobile microphone ANY decent hacker or ANY TLA / LEO can turn on and ‘listen in’. Phone Hacking is not just big business now, there’s tools to do it for the less skilled. Take the power off of it, those risks ALL go away. (Including the risk that someone finds your ‘mobile payment’ info in your phone and sucks out all your money… a real risk with real losses NOW.)

BTW: Assuming Government are “good guys” is wrong on the face of it. Only for limited periods of time and even then only for ‘most’ of the cases of use by a government is is ‘true’. The worst ‘ills’ and abuses of history have been caused by governments. I don’t expect that historical trend to change in the future. Yes, they are “Better Evil Bastards” than the other Evil Bastards, but that does not make them saintly ‘good guys’. That’s why police departments have “internal affairs” branches. Oh, and remember Watergate? How about those FBI files that Madam Hillary “found”? The bigger ones collected by J.Edgar Hoover? (That mysteriously “disappeared” right after his death) I know that I am on a TLA file (and likely more than 2). First from when I was dating the daughter of a director of a national lab doing weapons work (and we were ‘protesting the war’… well, she was, I was tagging along hoping to get somewhere ;-) At one point I identified a guy filming the ‘protestors’ and ‘investigated’ him. His cover story was that he was an independent who sold footage to the nightly news. Didn’t wash, but I let him think I bought it. Wrong kind of gear (chemical film, would not be done processing in time for the news, who used video gear even then) and his dress and all were wrong. He was ‘agency’ not ‘film guy’. So I’m certain I’m on his film in that file… Oh, and he wasn’t there to watch ‘the girl and me’, we called that guy “Clarence Clearance” or IIRC “Uncle Bob”… He was a different TLA… BTW, at this same event, my roomy and I managed to infiltrate a field meeting of the various police covering the event. That we were both a bit ‘too clean cut’ for our faux hippy look helped us ‘pass’. That I was, even then, hanging out with LEOs a lot and was a Law Enforcement Eagle Scout didn’t hurt ;-) They started talking ‘group dynamics’ and when to take who into custody. Some of the LEOs were uniforms, some of the folks were under-covers (one was one of our dorm ‘Resident Advisors’… not surprising, really as a lot of “Lab Kids” were in that dorm and foreign TLAs would love to nab one…)

Now fast forward to today… Think it would be hard, AT ALL, for those agencies to just turn on some cameras and microphones on the cell phones of the crowd? Think anything prevents that? Think that watching which cars go where afterward will NOT be done, especially with the OnStar ones? Think a TLA would NOT turn on the microphones in those cars ‘of interest’?

At this point I’m going to shut up on that line, for the simple reason that I’ve had and FBI clearance to work in some sensitive areas. I can’t ‘go there’.

Oh, but on the ‘knives and guns’ issue: The 2nd Amendment was for the purpose of assuring symmetry in that regard. So as soon as I can turn on the microphone of ANY government employee (including the politicians) and I can track their car, well then, I’m OK with them doing the same to me… maybe…. Basically, any power needs to be symmetrically available to prevent abuse. That we have moved far from that principle today, and toward a police state with a standing army, is not an argument against the principle, it is an example of the path to ruin…

@BobN:

Well put.

Frankly, I think my “concern” comes largely from the fact that I’ve built systems for a living for a long time AND I’ve seen how they are used. (In some cases, done the ‘using’ myself.) Basically, I’m too much an ‘insider’ to security stuff to trust how it is being used. Even if I am, now, a decade or so out of date…

@P.G.Sharrow:

My feelings exactly. Frankly, here I am hacking together a secure and private compute environment out of various bits of hardware and Linux. (Leveraging a lot of other folks work in the process… h/t to the Linux Barn Raising of the world!) I’d not call that being a ‘technophobe’. No more than I’d call a biologist who does a lot of hand washing while working with infectious disease organisms a ‘paranoid hypochondriac’.

I’m simply aware of just how much the “leverage” has moved against personal privacy, freedom, and self reliance; and how far toward oppressive invasive central control AND The Bad Guys. I’m looking to restore the ‘leverage’ to a ‘balance’, not eliminate technology.

@Jim2:

Yup. At one point you could buy the ‘fumigator’ and such and DIY. No more. There was a tipping point when various “professions” found they could practice ‘occupational birth control’ via regulation. There are now massive gangs of lawyers assigned to lobby D.C. and State Capitols to get laws past to prevent competition and reduce providers; all to raise prices / revenues. From real estate sales licenses to hair dressing laws (one lady was recently ‘busted’ for doing hair braiding in her home without the mandatory ‘safety classes’… to braid hair…) and on. Once ‘commerce’ finds out it can use Government to force folks to buy their service and limit the providers, well, they love that addiction to power… One of the most blatant examples of how “regulation” goes bad. ( I’ve had ‘inspectors’ on alternate visits insist that ALL sockets and switches had to be on ‘pigtails’ and that they could ‘not be on pigtails’… causing 3 x the work swapping back and forth… Oh, they get a fee for each fixture… and are friends with the large electrical companies…) That is WHY the Federal Government was supposed to be so limited, and it is why removing those limits was a very bad thing…

This process continues until the economy slowly grinds to a halt. Often over a few generations.

(Well, really, they were not removed so much as The Constitution is just ignored now…)

@ EM – I had the occasion to catch someone working for me steal design data. I was shocked when we finally pined it on her, she seemed like the last person in my group that I would suspect.

About 15 years ago I got a call from a 3 letter outfit that asked me to give them a bid on hardware that would parse millions of cell phone calls, recording conversations that found words in the table of interest.
Your protest story triggered a few memories. When in college we would occasionally post a bulletin that there was an SDS formation meeting. We then sat back and watched all kind of strange creatures show up at the designated time and location. Some of them tried to fit in, but were painfully obvious they weren’t students.

I recently went through a period of problems with my computer that was symptomatic of someone in my system. I noticed my router lights would go crazy about 3 AM every night. I got in the habit of just disconnecting the internet when I’m not using it. I trade stock every day, so I have a high concern for what is happening. A lot of password changes and things, but I know I’m not safe. I’m a hardware guy and even though I managed software groups I don’t know squat about OS systems and how to crack them. It all seems to change faster than I can learn – maybe an age thing! LOL

It’s not age, and it’s not being a hardware guy. I’m a software guy, and I’m worried about exactly the same thing. I’ve not done a trade in a few months. Why? We had a few ‘day zero’ attacks published.

A ‘day zero’ attack means there is NO solution when it is first announced. Anyone who discovered it earlier has had a free field to roam. Anyone who reads the notice has a free field to use the attack until such time as: 1) A fix is found. 2) It is tested, and made public. 3) The public (and that means you) find out about the update and installs it.

The number and frequency of such attacks has gotten fast enough that you can’t keep up. For me, the “tipping point” was the Java Day Zero hack. Folks could escape the Java Virtual Machine and take over the box. A fix was likely ‘in a few weeks’…

That was when I started looking at a ‘disposable reasonably secure browser platform’. So that every boot becomes a new ‘crack’ to get in.

I boot the LiveCD, and launch two windows. One has “top” running. Shows all processes AND the cpu usage. It better not show high CPU without enough active processes, AND if the CPU is showing ‘wait %’ low while the CD or disk is active, something is very wrong… The other window has a trivial script:

while true
do
w
sleep 30
done

This puts the output of the ‘w’ (or who) command in a small panel. IF any unexpected ‘new login’ shows up, the panel ‘looks wrong’ and I can hit reboot.

As the router ‘blinky lights’ are in my field of view as well, this gives me fairly complete real time monitoring of ‘what is happening’ while I’m using the box to trade. So a system ‘cracker’ has to break in as soon as I boot up and before I enter my password at the trading site. Not likely.

It has to be done without unexpected levels of router traffic OR unexpected timing (you get good pretty quick at ‘what the blinky lights ought to look like’… though there will be one or two false alarms as you learn what happens when).

I has to be done without having an unexpected process rise to the top of the active process list (hard to do until AFTER the crack is done…) and it has to be done without the ‘login’ showing as a login (not as hard as a shell can be made to look like some other process) and THEN without causing a lot of other processes to show up while ‘doing things’ (very hard for the first 10 minutes or so, maybe longer).

Now, all THAT must be done while figuring out that the OS is NOT writable (you can’t slam in your own binaries) and that the normal system name space (file system space) is not normal and not writable. Again, not impossible, but very unusual.

And ‘unusual’ is your friend.

Many of the hacks are directly aimed at M.S. Pcs as they are 90ish percent of the targets. You get a big ‘pass’ just there. Then, of the Linux hacks, most of them are aimed at the more generic distributions. Of THEM, most do not expect a LiveCD install. Even at that point, were I making script tools, once I identified a ‘liveCD’, I’d likely just “move on”. I know that there is nothing ‘persistent’ I can do and I know that it is very unlikely that any amount of ‘interesting personal data’ is on that system anyway.

But say they DO get past all that and are ‘on the box’. I’m mounting ‘my data’ from two places. A read/write USB drive of limited capacity. (So I can save some files / state information). A larger USB space that has a large encrypted lump in it (or lumps) that only get a decryption for brief moments of time as things are moved into / out of it (them).

As there are only a couple of files at a time on the r/w space, ‘new stuff’ will show up and ‘size’ is likely to be noticed. For the encrypted lumps, if not yet opened, the ‘cracker’ has a GB scale lump to try moving to do something with it. Not going to happen (certainly not without ‘blinky lights’ going pretty hard…) IFF I’ve mounted the encrypted container as an open volume (to do something), we’ve got a race condition. They need to identify something they want, copy or molest it, and get out. All before I’m done doing a ‘copy’ or whatever and revert the file to closed / encrypted. Possibly a virus could manage to infect a file or to inside the container before I slam it shut, but not a lot of those in Linux Land…

Then I’m done and it shuts down. Any ‘tools’ inserted evaporate as the next boot is from the CD again and ‘pristine’. Any tools inserted on the USB will show up as a change of size (and putting a couple of MB, or even kB of tools onto a small USB is probably going to be noticed as I ‘check size’ at start up and randomly while doing things.

If really lazy, in a third tiny terminal window, run the script:

while true
do
df -ks
done

the ‘free’ blocks on any storage ought not to change unless YOU are in the process of saving a file…

While there are some normal Unix / Linux scripts that launch and ‘do things’ like writing syslog files; those go to RAMdisk on the LiveCD systems…

No, it’s not a perfect system. I’ll be adding more “belts and suspenders” over time.

But for now I think it’s likely to be a reasonable defense against the most common attacks (script kiddies and Black Hats with Toolz looking for Windoz boxes to exploit and wide open Linux to coopt into a D.of.Service attack drone).

If nothing else, that I boot the CD to ‘do things’ out of time cycle with Russia and China ought to be a feature right there…

IMHO, given the present state of things, if you use Windows, connected to the internet, and do any browsing at all, you ought to presume your system has been penetrated. Either by a person or by a ‘bot. The number of “day zero” holes and exploits coupled with the other ‘known and not fixed’ set is just too high.

For Linux, you need a decent firewall router from your ISP and turn on Linux Firewall (better still is a dedicated firewall box internally). Then keep up on patches and don’t click on anything that’s got risk. (or run from a CD ;-)

Macs are the best of the bunch, but even there having an added firewall box is a good idea. Opening ‘monitoring terminal widows’ and running scripts like above also helps.

So I’d suggest not being so hard on yourself. “It’s not about you.”…

At this point, I’m turning my laptop into a “crap top” box. Used for ‘nothing I really care about’. Even that lives in an encrypted lump most of the time. Downloads from public places. Stuff evaluated and stuck in a container. Virus scans run. Things I care about will be ‘run from a locked OS’ one way or another. Oh, and I’m making a NAS Network Attached Storage that will almost always be ‘read only’. Writing things to it will require a ‘special remount’. So the bulk of all my data will be protected from any rogue programs trying to infect them, rewrite them, whatever. Essentially “new” and “changed” versions get ‘journaled’ to a short term storage that only occasionally gets copied to the archive (and then only with external network shut off and any needed ‘scans’ done.)

Paranoid? Nope… because they ARE out to get you. Several $Million worth of budgets for hacking systems just in China alone…

@ EM – Thanks for the tips, a step at a time closer to safety. The disturbing part is the bad guys work at this full time!
I read once that China has over 330,000 hackers attacking the US. They even have clubs formed to work together on hacks. The colleges actually teach coarses on hacking. With this much activity it literally is an unspoken war. Throw in Russia and India, as well as the bad guys in America and it almost seems overwhelming.
Our government can’t seem to get the computers to talk to one another, maybe they should hire the hackers!

Postings By Date

Prior Months; postings by date

Meta

To Donate via Paypal or Credit card

Paypal Donation Site.
To make a donation, visit Paypal at the link above and put in the email address pub4all @ aol (DOT) com (leaving out the gratuitous blanks and putting in a "." for (DOT) that is in the text here to defeat spam bots). Many thanks to all!